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DETAILED ACTION 

1 . Claims 7, 1 1-31 are pending 

Response to Arguments 

Applicant's arguments filed 12/12/2007 have been fully considered but they are 
not persuasive. 

The Applicant has amended to include the new limitation "wherein the policy 
engine platform comprises a rule editor that is configured by the first user to perform at 
least one of deleting, adding, editing the at least one first policy by the first user." 

Terzis teaches the policy engine platform comprises a rule editor that is 
configured by the first user to perform at least one of deleting, adding, editing the at 
least first policy by the first user. ("The interface between the policy engine and the SNMP 
agent may be used to add and delete policy objects" Paragraph [0064]) 

The Applicant has amended to include the limitation "and a setting editor that is 
configured by the first user to select a security level from the plurality of security levels 
by the second user." It is unclear in this limitation whether the first user or a second user 
selects the security level from the plurality of security levels. 

Furthermore, support of two users interacting in any way concerning the setting 
editor does not appear to be supported by the specification. 

Pages 31-34 do not disclose "a first user to select a security level from the 
plurality of security levels by the second user." If the Applicant believes the limitation is 
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supported, the Examiner requests that the Applicant refer specifically to the lines that 
describe the first user, the second user, and the interaction between the two. 

Terzis teaches a setting editor that is configured by the first user to select a 
security level from the plurality of security levels by the second user, ("an operator may be 
able to enter a set of human readable access rules that define what resources and services are 
accessible to that user (or machine). According to one embodiment, these human readable 
access rules are stored as policy objects. " Paragraph [0136]) ("the policy engine talks to the 
components on the data plane to install and remove filters in response to policy rules," 
Paragraph [0062]) ("The policies can be determined both by the identity of the user as well as 
by the group the user is associated with... Based on the policies associated with that user, a set 
of specific access rules are generated that enable the subsystems to provide filtering and deny 
access to prohibited resources and services" Paragraph [0089]) ("The resource access rules are 
used to control which users have access to what resources. The resource access rules 
define... permission level" Paragraph [0120]) The Examiner interprets permission level as the 
security level. 



Claim Rejections - 35 USC §112 



The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 
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Claim 7, 11-31 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the written description requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to reasonably convey to 
one skilled in the relevant art that the inventor(s), at the time the application was filed, 
had possession of the claimed invention. 

Claims 7, 19, 24 recite the limitation "wherein the policy engine platform 
comprises a rule editor that is configured by the first user to perform at least one of 
deleting, adding, editing the at least one first policy by the first user." 

Throughout the specification the Applicant has referred to an advanced user that 
defines traditional packet-centric policies, as well as a less advanced user to develop 
policy based on application centric policies (Applicants Specification Paragraph [0010]). 

However pages 31-34 do not disclose "a first user to select a security level from 
the plurality of security levels by the second user." 

Claims 11-18, 20-23, 25-31 are dependent on the above claims and are rejected 
for the same rationale. 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 7, 11-31 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 
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Claims 7, 19, 24 recite the limitation "wherein the policy engine platform 
comprises a rule editor that is configured by the first user to perform at least one of 
deleting, adding, editing the at least one first policy by the first user." 

It is unclear in this limitation whether the first user or a second user selects the 
security level from the plurality of security levels. 

Claims 11-18, 20-23, 25-31 are dependent on the above claims and are rejected 
for the same rationale. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 1 03(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 1 03(a). 
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Claims 7-31 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Terzis (20040243835) in view of Lambert (20020099952). 

Regarding Claim 7, 

Terzis teaches an object model for managing a service on a computer, the object 
model comprising: 

A policy object model for specifying 

by a first user, at least one first policy that the service supports in a packet- 
centric form ("the subsystems include a firewall... The firewall operates at layer 4 
(transport)... The firewall serves to prevent unauthorized access of a network... by filtering out 
packets that originate from unauthorized users or sources. Performing filtering of packets can 
be effective in deterring certain types of unauthorized access attempts, but requires inspection 
of each packet" Paragraph [0089]) ("The resource access rules are used to control which 
users have access to what resources. The resource access rules define priority... The priority 
assigns a priority to the rule as each new incoming flow is evaluated against each of the policy 
rules according to their priority" Paragraph [0120]) and 

by a second user, at least one second policy by selecting a security level from a 
plurality of security levels, with each security level from the plurality of security levels 
being previously set for a specified user ("the policy engine talks to the components on the 
data plane to install and remove filters in response to policy rules, " Paragraph [0062]) ("The 
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policies can be determined both by the identity of the user as well as by the group the user is 
associated with... Based on the policies associated with that user, a set of specific access rules 
are generated that enable the subsystems to provide filtering and deny access to prohibited 
resources and services" Paragraph [0089]) ("The resource access rules are used to control 
which users have access to what resources. The resource access rules define... permission 
level" Paragraph [0120]) The Examiner interprets permission level as the security level. 

A policy engine platform for interacting of the first user with the at least one first 
policy and of the second user with the at least one second policy, and to provide the at 
least one first policy and the at least one second policy to at least one component that 
performs the service. 

("The policy interpreter interfaces to the SNMP Agent, " Paragraph [0064], Fig 7.) 

The Examiner interprets the policy object model as the "policy engine" and policy 
engine platform as "policy interpreter." 

As seen in Fig. 7, the Policy Interpreter acts as an intermediary between the 
SNMP agent and the Policy engine. Because the purpose of a SNMP agent is to 
facilitate information between network components and the purpose of the policy 
engine is to provide policies, it is inherent that the policy interpreter will provide one or 
more policies of which one will actually perform the service. 

Terzis teaches the policy engine platform comprises a rule editor that is 
configured by the first user to perform at least one of deleting, adding, editing the at 
least first policy by the first user. ("The interface between the policy engine and the SNMP 
agent may be used to add and delete policy objects" Paragraph [0064]) 
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Terzis teaches a setting editor that is configured by the first user to select a 
security level from the plurality of security levels for the second user, ("an operator may 
be able to enter a set of human readable access rules that define what resources and services 
are accessible to that user (or machine). According to one embodiment, these human readable 
access rules are stored as policy objects. " Paragraph [0136]) ("the policy engine talks to the 
components on the data plane to install and remove filters in response to policy rules," 
Paragraph [0062]) ("The policies can be determined both by the identity of the user as well as 
by the group the user is associated with... Based on the policies associated with that user, a set 
of specific access rules are generated that enable the subsystems to provide filtering and deny 
access to prohibited resources and services" Paragraph [0089]) ("The resource access rules 
are used to control which users have access to what resources. The resource access rules 
define... permission level" Paragraph [0120]) The Examiner interprets permission level as the 
security level. 

Terzis does not explicitly teach if it has been determined that the first user is 
authorized to perform the specification by comparing a rank of the first user against a 
permitted rank. The Examiner interprets a permitted rank as the priority level, as 
described by the Applicant in pg. 8 of Remarks, "A policy provider is associated with a 
particular priority class or level" (Paragraph [0051] of Specification). 

Lambert teaches determining whether a first user is authorized to perform the 
specification by comparing a rank of the first user to a permitted rank before specifying 
a policy, ("the group policy objects.. .may be provided by administrators per site, domain, 
organizational unit, group and user. Among other things, group policy technology also provides 
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a flexible and hierarchical way in which each administrator can establish which policies will win 
out over others if multiple policies conflict. For example, site policies can be set up to prevail 
over domain policies, which in turn can be set up to prevail over organizational unit policies.. .. " 
Paragraph [0080]) 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the object model of Terzis with the policy provider priority ranking 
system of Lambert. 

The motivation is that Lambert teaches a well known way to deal with conflicts 
with group policy objects. 

Regarding Claims 11 and 12, 

Terzis and Lambert teach the object model of claim 7, Terzis further teaches 
wherein the policy engine platform comprises a setting editor configured to 
automatically generate a policy based upon an application and user combination, 
wherein the setting editor generates a plurality of policies, and is further configured to 
permit said second user to select from the plurality of policies. 

("After a user has successfully logged [in]. . .the Launch-pad module may contact the 
policy engine to receive the list of resources that are available to that user... Once fount the 
policy user may return each of the resources in those rules back to the Launch-pad module, 
Paragraph [0065]) 
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Where the Launch-pad is defined as a user interface in Paragraph 100. The 
launch pad screen is capable of displaying "applications... that are specifically made 
available to that user (Paragraph 106). 

The Examiner interprets the second user to be an administrator that implements 
user-centric policies. (The resource access rules are used to control which users have 
access to what resources. Paragraph [0120]) 

Regarding Claim 13, 

Terzis and Lambert teach the object model of claim 12, Terzis further teaches 
wherein the setting editor is further configured by said second userto permit setting 
one of the plurality of policies as a default policy. 

("generating, based on the access policies, at least one access rule for each of a 
plurality of security system sublayers, " Claim 1) 

The Examiner interprets the at least one access rule as the default policy. 

The Examiner interprets the second user to be an administrator that implements 
user-centric policies. (The resource access rules are used to control which users have 
access to what resources. Paragraph [0120]) 



Regarding Claim 14, 
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Terzis and Lambert teach the object model of claim 7, Terzis further teaches 
wherein the policy engine platform comprises a rule explorer for providing a view of the 
at least one first policy and the at least one second policy. 

Because the policy interpreter interfaces between the SNMP agent and the policy 
engine (Fig. 7) it is inherent that there will be a component that allows a view of one or 
more of the policies. 

Regarding Claim 15, 

Terzis and Lambert teach the object model of claim 7, Terzis further teaches 
wherein the policy object model comprises a policyrule object usable to generate 
policy, the policyrule object comprising a condition property and an action property, 
wherein a policy generated by the policyrule object is configured to perform an action in 
the action property responsive to a condition in the condition property being met. (Fig. 
6, 670) 

Regarding Claim 16, 

Terzis and Lambert teach the object model of claim 7, Terzis further teaches 
wherein the service is a firewall service. ("According to one embodiment the rules are 
generated and installed at the firewall level" Paragraph [0019]) 



Application/Control Number: 10/740,748 
Art Unit: 2139 

Regarding Claim 17, 



Page 12 



Terzis and Lambert teach the object model of claim 7, Terzis further teaches 
wherein the policy engine platform is configured to deny providing said one or more 
policies to the component if a requester is not authorized. ("Based on the policies 
associated with that user, a set of specific access rules are generated that enable the 
subsystems to provide filtering and deny access to prohibited resources and services." 
Paragraph [0088]) 

Regarding Claim 18, 

Terzis and Lambert teach the object model of claim 17, Terzis further teaches 
wherein determining whether a requester is authorized comprises comparing a 
provider rank for the requester against a permitted rank, and if the provider rank for the 
requestor does not meet or exceed the permitted rank, denying the requester. (Fig 6. 
675, PermissionLevel) 

The Examiner interprets the parameter PermissionLevel under the Resource 
Access Rules as rank. Where the PermissionLevel is checked against a permitted 
PermissionLevel and if the PermissionLevel does not meet or exceed the permitted 
rank, to deny the requestor. 



Regarding Claim 19, 
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Terzis and Lambert teach a method of managing a service on a computer, the 
method comprising: 

specifying, via a policy object model, by a first user , one or more policies that the 
service supports in a packet-centric form ("the subsystems include a firewall .. .The firewall 
operates at layer 4 (transport) . ..The firewall serves to prevent unauthorized access of a 
network. . .by filtering out packets that originate from unauthorized users or sources. Performing 
filtering of packets can be effective in deterring certain types of unauthorized access attempts, 
but requires inspection of each packet" Paragraph [0089]), and, by a second user, at least 
one second policy by selecting a security level from a plurality of security levels, with 
each security level from the plurality of security levels being previously set for a 
specified application and a specified user; ("The policy engine talks to the components on 
the data plane to install and remove filters in response to policy rules," Paragraph [0062]) ("The 
resource access rules are used to control which users have access to what resources. The 
resource access rules define... permission level" Paragraph [0120]) The Examiner interprets 
permission level as the security level. 

and interacting, via a policy engine platform, of said first user at least one first 
policy specified in said packet-centric form, and of said second user with said one or 
more policies specified in said user-centric form and/or said application-centric form; 
("the Launch-pad module may contact the policy engine to receive the list of resources that are 
available" Paragraph [0065]) ("The resource access rules are used to control which users have 
access to what resources. The resource access rules define... permission level" Paragraph 
[0120]) The Examiner interprets permission level as the security level. 
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and providing, via the policy engine platform, said one or more policies to said at 
least one component that actually performs the service. ("Once found the policy engine 
may return each of the resources in those rules back to the Launch-pad module" Paragraph 
[0065]) 

Terzis teaches "the subsystems include a firewall... The firewall operates at layer 4 
(transport) . . . The firewall serves to prevent unauthorized access of a network. . .by filtering out 
packets that originate from unauthorized users or sources. Performing filtering of packets can 
be effective in deterring certain types of unauthorized access attempts, but requires inspection 
of each packet. (Paragraph [0089])." Terzis further teaches ""The policies can be determined 
both by the identity of the user as well as by the group the user is associated with.. .Based on 
the policies associated with that user, a set of specific access rules are generated that enable 
the subsystems to provide filtering and deny access to prohibited resources and services" 
Paragraph [0089]) 

The Examiner interprets the first user to be an administrator that implements 
packet-centric policies. (The security rules 690 may describe how packets matching the 
source, destination objects should be secured. Paragraph [0130]) 

The Examiner interprets the second user to be an administrator that implements 
user-centric policies. (The resource access rules are used to control which users have 
access to what resources. Paragraph [0120]) 

Terzis teaches the policy engine platform comprises a rule editor that is 
configured by the first user to perform at least one of deleting, adding, editing the at 
least first policy by the first user. ("The interface between the policy engine and the SNMP 
agent may be used to add and delete policy objects" Paragraph [0064]) 
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Terzis teaches a setting editor that is configured by the first user to select a 
security level from the plurality of security levels for the second user, ("an operator may 
be able to enter a set of human readable access rules that define what resources and services 
are accessible to that user (or machine). According to one embodiment, these human readable 
access rules are stored as policy objects. " Paragraph [0136]) ("the policy engine talks to the 
components on the data plane to install and remove filters in response to policy rules," 
Paragraph [0062]) ("The policies can be determined both by the identity of the user as well as 
by the group the user is associated with... Based on the policies associated with that user, a set 
of specific access rules are generated that enable the subsystems to provide filtering and deny 
access to prohibited resources and services" Paragraph [0089]) ("The resource access rules 
are used to control which users have access to what resources. The resource access rules 
define... permission level" Paragraph [0120]) The Examiner interprets permission level as the 
security level. 

Terzis does not explicitly teach if it has been determined that the first user is 
authorized to perform the specification by comparing a rank of the first user against a 
permitted rank. The Examiner interprets a permitted rank as the priority level, as 
described by the Applicant in pg. 8 of Remarks, "A policy provider is associated with a 
particular priority class or level" (Paragraph [0051] of Specification). 

Lambert teaches determining whether a first user is authorized to perform the 
specification by comparing a rank of the first user to a permitted rank before specifying 
a policy, ("the group policy objects.. .may be provided by administrators per site, domain, 
organizational unit, group and user. Among other things, group policy technology also provides 
a flexible and hierarchical way in which each administrator can establish which policies will win 
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out over others if multiple policies conflict. For example, site policies can be set up to prevail 
over domain policies, which in turn can be set up to prevail over organizational unit policies...." 
Paragraph [0080]) 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the object model of Terzis with the policy provider priority ranking 
system of Lambert. 

The motivation is that Lambert teaches a well known way to deal with conflicts 
with group policy objects. 

Regarding Claim 20, 

Terzis and Lambert teach the method of claim 19, Terzis further teaches further 
comprising automatically generating a policy based upon an application and user 
combination. "After a user has successfully logged into the MACSS, the Launch-pad module 
may contact the policy engine to receive the list of resources that are available to that user," 
Paragraph [0065]) 

Regarding Claim 21, 

Terzis and Lambert teach the method of claim 20, Terzis further teaches further 
comprising generates a plurality of policies, and permitting a user to select from the 
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plurality of policies . ("Once found the policy engine may return each of the resources in those 
rules back to the Launch-pad module" Paragraph [0065]) 

As described before the Launch-pad module is a user interface. Examples can 
be found in Fig. 4 and Fig. 5. 

Regarding Claim 22, 

Terzis and Lambert teach the method of claim 21 , Terzis further teaches further 
comprising setting one of the plurality of policies as a default policy, ("generating, based 
on the access policies, at least one access rule for each of a plurality of security system 
sublayers," Claim 1) 

The Examiner interprets the at least one access rule as the default policy. 

Regarding Claim 23, 

Terzis and Lambert teach the method of claim 22, Terzis further teaches further 
comprising authorizing a user prior to allowing the user to select the at least one policy 
from the plurality of policies. 

It is inherent that the system administrator is authorized prior to selecting one 
policy from a plurality of policies. ("A system administrator uses user interfaces... to create 
access/security rules that allow users access to specific network resources based on a variety 
of parameters" Paragraph [0056]) 
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Terzis and Lambert teach an object model embodied on a computer-readable 
medium for managing a firewall service on a computer, the object model comprising a 
policy object model used to specify, by a first user,_ one or more policies that the 
firewall service supports in a packet-centric form, and, by a second user at least one 
second policy by selectin g a security level from a plurality of security levels, with each 
security level from the plurality of security levels being previously set for a specified 
application and a specified user ("The resource access rules are used to control which 
users have access to what resources. The resource access rules define... permission level" 
Paragraph [0120], The Examiner interprets permission level as the security level), the policy 
model comprising a policyrule object usable to generate policy (Fig. 6, PolicyRule, 670), 
the policyrule object comprising a condition property and an action property, wherein a 
policy generated by the policyrule object is configured to perform an action in the action 
property responsive to a condition in the condition property being met. 

It is inherent that the policy rule is configured to perform an action responsive to 
a condition being met. 

7erz/'s teaches "the subsystems include a firewall. . . The firewall operates at layer 4 
(transport) . . . The firewall serves to prevent unauthorized access of a network. . .by filtering out 
packets that originate from unauthorized users or sources. Performing filtering of packets can 
be effective in deterring certain types of unauthorized access attempts, but requires inspection 
of each packet. (Paragraph [0089])." Terzis further teaches ""The policies can be determined 
both by the identity of the user as well as by the group the user is associated with.. .Based on 
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the policies associated with that user, a set of specific access rules are generated that enable 
the subsystems to provide filtering and deny access to prohibited resources and services" 
Paragraph [0089]) 

The Examiner interprets the first user to be an administrator that implements 
packet-centric policies. (The security rules 690 may describe how packets matching the 
source, destination objects should be secured. Paragraph [0130]) 

The Examiner interprets the second user to be an administrator that implements 
user-centric policies. (The resource access rules are used to control which users have 
access to what resources. Paragraph [0120]) 

Terzis teaches the policy engine platform comprises a rule editor that is 
configured by the first user to perform at least one of deleting, adding, editing the at 
least first policy by the first user. ("The interface between the policy engine and the SNMP 
agent may be used to add and delete policy objects" Paragraph [0064]) 

Terzis teaches a setting editor that is configured by the first user to select a 
security level from the plurality of security levels for the second user, ("an operator may 
be able to enter a set of human readable access rules that define what resources and services 
are accessible to that user (or machine). According to one embodiment, these human readable 
access rules are stored as policy objects. " Paragraph [0136]) ("the policy engine talks to the 
components on the data plane to install and remove filters in response to policy rules, " 
Paragraph [0062]) ("The policies can be determined both by the identity of the user as well as 
by the group the user is associated with... Based on the policies associated with that user, a set 
of specific access rules are generated that enable the subsystems to provide filtering and deny 
access to prohibited resources and services" Paragraph [0089]) ("The resource access rules 
are used to control which users have access to what resources. The resource access rules 
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define... permission level" Paragraph [0120]) The Examiner interprets permission level as the 
security level. 

Terzis does not explicitly teach if it has been determined that the first user is 
authorized to perform the specification by comparing a rank of the first user against a 
permitted rank. The Examiner interprets a permitted rank as the priority level, as 
described by the Applicant in pg. 8 of Remarks, "A policy provider is associated with a 
particular priority class or level" (Paragraph [0051] of Specification). 

Lambert teaches determining whether a first user is authorized to perform the 
specification by comparing a rank of the first user to a permitted rank before specifying 
a policy, ("the group policy objects.. .may be provided by administrators per site, domain, 
organizational unit, group and user. Among other things, group policy technology also provides 
a flexible and hierarchical way in which each administrator can establish which policies will win 
out over others if multiple policies conflict. For example, site policies can be set up to prevail 
over domain policies, which in turn can be set up to prevail over organizational unit policies.. .. " 
Paragraph [0080]) 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the object model of Terzis with the policy provider priority ranking 
system of Lambert. 

The motivation is that Lambert teaches a well known way to deal with conflicts 
with group policy objects. 



Regarding Claim 25, 
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Terzis and Lambert teach the object model of claim 24, Terzis further teaches 
further comprising an IPSecRule derived from the policyrule object, the IPSecRule 
being configured to trigger an IPSec callout when an IPSec condition is matched, and 
to indicate configuration parameters for securing traffic related to the callout. (Fig. 14, 
1440). 

The services dispatcher connects to the launch-pad which connects to the policy 
engine. 

Regarding Claim 26, 

Terzis and Lambert teach the object model of claim 25, Terzis further teaches 
wherein the IPSecRule evaluates a standard 5-tuple to determine if a condition has 
been met. (Fig. 11) 

Regarding Claim 27, 

Terzis and Lambert teach the object model of claim 24, Terzis further teaches 
further comprising a KeyingModuleRule derived from the policyrule object, the 
KeyingModuleRule being configured to select which key negotiation module to use 
when there is no existing secure channel to a remote peer. 
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("The key exchange field specifies how keys are exchanged and determines what key 
parameters will be used." Paragraph [0130]) 

The Examiner interprets key negotiation as key exchange. The Examiner notes 
that the key exchange field is part of the security rules, which is part of the policy rules. 

Regarding Claim 28, 

Terzis and Lambert teach the object model of claim 27, Terzis further teaches 
wherein the KeyingModuleRule evaluates a standard 5-tuple to determine if a condition 
has been met. (Fig. 11) 

Regarding Claim 29, 

Terzis and Lambert teach the object model of claim 24, Terzis further teaches 
further comprising a IKERule derived from the policyrule object and configured to 
specify the parameters for carrying out Internet Key Exchange key negotiation protocol. 
(Fig. 14, IKE) 



Regarding Claim 30, 
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Terzis and Lambert teach the object model of claim 29, Terzis further teaches 
wherein the IKERule evaluates a local address and a remote address to determine if a 
condition has been met. This step is inherent in IKE protocol. 

Regarding Claim 31, 

Terzis and Lambert teach the object model of claim 29, Terzis further teaches 
wherein the IKERule comprises an IKEAction action property that defines the 
authentication methods for performing Internet Key Exchange key negotiation protocol. 

("The key exchange field specifies how keys are exchanged and determines what key 
parameters will be used." Paragraph [0130]) 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to HARRIS C. WANG whose telephone number is 
(571 )270-1462. The examiner can normally be reached on M-F 9-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, KRISTINE KINCAID can be reached on (571) 272-4063. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

HCW 

/Kristine Kincaid/ 

Supervisory Patent Examiner, Art Unit 2139 



